A use-after-free flaw in Adobe Acrobat and Reader can lead to arbitrary code execution when a user opens a crafted document, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-04-13.
What Is It
CVE-2020-9715 is a use-after-free vulnerability (CWE-416) affecting Adobe Acrobat and Reader, originally disclosed by Adobe on 2020-08-19 in security bulletin APSB20-48. The flaw allows arbitrary code execution in the context of the user running the vulnerable application. NVD rates it CVSS 3.1 7.8 (HIGH), with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, local attack vector, low complexity, no privileges required, but user interaction is required (typically opening a malicious PDF). Impact to confidentiality, integrity, and availability is all rated HIGH.
Why It Matters
CISA added CVE-2020-9715 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-13, confirming active exploitation in the wild. Federal civilian agencies were given a due date of 2026-04-27 to remediate under BOD 22-01. Known ransomware campaign use is listed as Unknown. Because exploitation only requires a user to open a crafted PDF, this flaw is well-suited to phishing and targeted document-delivery attacks against endpoints; a category Acrobat/Reader has historically been heavily abused in.
What's Vulnerable
Per NVD, the following Adobe Acrobat and Acrobat Reader DC versions on Windows and macOS are affected:
- Acrobat/Reader DC Continuous: 15.008.20082 through 20.009.20074
- Acrobat/Reader DC Classic (2020 track): 20.001.30002
- Acrobat/Reader DC Classic (2017 track): 17.011.30059 through 17.011.30171
- Acrobat/Reader DC Classic (2015 track): 15.006.30060 through 15.006.30523
Patch Status
Adobe published fixes in security bulletin APSB20-48 (August 2020). CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Organizations still running unpatched Acrobat or Reader DC builds in the version ranges above should update immediately given confirmed active exploitation.